A Mixed-Methods Study of Open-Source Software Maintainers On Vulnerability Management and Platform Security Features

TL;DR

This study explores open-source software maintainers' perspectives on vulnerability management and security features, revealing challenges like supply chain mistrust and low awareness, with implications for improving OSS security practices.

Contribution

It provides new insights into OSS maintainers' views on vulnerability management and platform security, an area previously underexplored, through surveys and interviews.

Findings

Supply chain mistrust is a major challenge.

Lack of automation hampers vulnerability management.

Barriers include low awareness and perceived lack of necessity.

Abstract

In open-source software (OSS), software vulnerabilities have significantly increased. Although researchers have investigated the perspectives of vulnerability reporters and OSS contributor security practices, understanding the perspectives of OSS maintainers on vulnerability management and platform security features is currently understudied. In this paper, we investigate the perspectives of OSS maintainers who maintain projects listed in the GitHub Advisory Database. We explore this area by conducting two studies: identifying aspects through a listing survey ($n_1=80$) and gathering insights from semi-structured interviews ($n_2=22$). Of the 37 identified aspects, we find that supply chain mistrust and lack of automation for vulnerability management are the most challenging, and barriers to adopting platform security features include a lack of awareness and the perception that they are not necessary. Surprisingly, we find that despite being previously vulnerable, some maintainers still allow public vulnerability reporting, or ignore reports altogether. Based on our findings, we discuss implications for OSS platforms and how the research community can better support OSS vulnerability management efforts.